Implement a GDPR Compliance Program

Learning Objectives

Describe different activities that organizations can undertake to prepare for the GDPR.

Salesforce Is Committed to Privacy

At Salesforce, trust is our #1 value, and nothing is more important than the success of our customers and the protection of their data. Salesforce was the first top-10 software company in the world to protect its customers' data with binding corporate rules for processors approved by European data protection authorities. Salesforce was also one of the first companies in the world to certify compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.

Salesforce welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU. We’ve worked closely with European lawmakers, EU data protection authorities, and industry associations throughout the development and approval of the GDPR. We’re committed to complying with the GDPR in providing services to our customers. And we’re committed to ensuring that our customers can continue to use our services while complying with GDPR. We know that, similar to existing legal requirements, complying with the GDPR requires a partnership between Salesforce and our customers.

We have robust security and privacy programs in place that meet the highest standards in the industry. They enable us to comply with a variety of data protection laws and regulations applicable to Salesforce. Our services have earned numerous security-related certifications based on the administrative, technical, and physical safeguards we use to protect our customers’ personal data. For some of our services, these certifications include the International Organization for Standardization (ISO) 27001 and 27018 standard, the American Institute of CPAs’ (AICPA) System and Organization Controls (SOC) reports, the Payment Card Industry Data Security Standards (PCI), the TÜV Rheinland Certified Cloud Service, and the UK Cyber Essentials Scheme. Our services also have earned the TRUSTe Certified seal, signifying that the privacy certification organization TRUSTe reviewed our privacy practices and found them to be in compliance with their certification standards.

Finally, Salesforce publishes Trust and Compliance documentation for each of our major services. This documentation describes the architecture of each service, the security- and privacy-related audits and certifications the service has received, and the applicable administrative, technical, and physical controls. The documentation also describes the infrastructure environment and entities material to our provision of services.

Let’s review the three mechanisms that Salesforce uses to facilitate cross-border data transfers.

Cross-Border Data Transfer Mechanisms

Description

Binding corporate rules

Also known as BCRs, these are company-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area (EEA) to countries outside the EEA. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with those authorities. Salesforce was the first top-10 software company in the world to achieve approval for BCRs for processors.

The EU-US Privacy Shield and Swiss-US Privacy Shield

These are frameworks designed by the US Department of Commerce, along with the European Commission and Swiss government, to provide companies with a mechanism for complying with European data protection requirements when they’re transferring personal data from Europe to the United States. Companies certify compliance with the US Department of Commerce and are subject to oversight and enforcement by the US Federal Trade Commission. Salesforce was one of the first companies to certify under the EU-US Privacy Shield.

Standard contractual clauses

Also known as “model clauses,” these are legal contracts between parties who are transferring personal data from Europe to countries outside the EEA. The European Commission drafted and approved the standard contractual clauses, which contain detailed obligations related to the protection of personal data.

Preparing for Compliance with the GDPR

Compliance with the GDPR requires a partnership. Salesforce customers cannot rely solely on Salesforce to make sure they’re in compliance with the GDPR. Any organization subject to the GDPR can take steps to ensure it is compliant with the law. So what can organizations do?

Get Buy-in and Build Your Team

The first thing any organization can do is make sure its leadership is aware of the importance of compliance with the GDPR. Achieving compliance requires organizations to commit substantial staff resources and financial investments. It’s difficult to do that if the leadership doesn’t appreciate the risks and the challenges.

The next thing to do is identify the core team to work on the compliance effort. The organization can appoint a leader to oversee the initiative and possibly serve as the data protection officer. Each department in the company can appoint one or more point people. Those people, in turn, can identify colleagues who are passionate about privacy issues and want to serve as privacy advocates. It’s particularly important to have representatives from the information security, procurement, legal, human resources, product management, and marketing departments on the team that leads the compliance effort.

Assess Your Organization

Once an organization has assembled its cross-functional team, the team can analyze the organization’s existing privacy and security efforts to identify the top areas of focus. One important element of the analysis is to understand where the organization stores personal data. Many organizations learn that they have dozens, if not hundreds, of different databases and systems that store personal data. The personal data can come from employees, job applicants, people who fill out forms on websites, participate in contests or loyalty programs, make purchases, fill out rebate or warranty cards, attend events, or contact customer service teams via email, phone, or social media.

Note

Databases and systems that store personal data may be used by many different departments within a company. Marketing, sales, human resources, finance, IT, sourcing, payroll, risk management, health and safety, audit, and legal departments each may operate their own systems or work with different vendors to manage personal data.

As an organization identifies where it stores this data, the team can build a data inventory that shows, for each storage system, which type of data is stored there, where it came from, what it is used for, who has access to it, how it is secured, which third parties it is transferred to, and how long to keep it. In going through this effort, the team can also identify all the third parties that the organization either receives personal data from, or transfers personal data to.

From the analysis, organizations can create a register of data processing activities, and identify which activities pose high risks to data privacy. For each high-risk activity, organizations can carry out a data protection impact assessment to determine the actions they need to take to ensure that they’re properly protecting individual privacy rights.

Establish Controls and Processes

Once an organization has a better understanding of its data, the team can create a roadmap of necessary operational and technological changes. The roadmap can ensure the organization has appropriate controls and processes, such as:

Privacy notices:Privacy notices must be provided wherever personal data is collected, including through the use of website cookies and tags.

Usage limitations: Administrative or technological controls can be used to limit the organization’s use of data to the purposes for which it collected the data.

Vendor management: Organizations must have contracts with affiliates, vendors, and other third parties that collect or receive personal data, including standard contractual clauses or other mechanisms to legalize data transfers outside the EU.

Incident response: Processes must be created to detect and respond to security breaches, including remediating the breach and notifying all necessary parties.

Training: Employee and vendor training must be delivered to raise awareness regarding privacy policies, processes, and requirements, as well as to report concerns and suspicious data activity.

Assessments: Data protection impact assessments must be conducted for each high risk data processing activity.

Document Compliance

Once an organization is on the path toward compliance, the team can focus on documenting compliance efforts. The organization can compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, internal company data transfer agreements, and vendor contracts. If required, the organization can appoint a data protection officer and identify the appropriate EU supervisory authority. It’s also useful for organizations to conduct periodic assessments or audits of the privacy program to ensure that everything is operating as planned.

The path to compliance with the GDPR is filled with many questions, choices, and complex analyses. It’s a long but interesting journey, and one organizations must undertake with executive support and guidance from knowledgeable internal and external partners. However, it’s made easier by keeping in mind the one overarching principle made clear in the opening sentence of the GDPR: The protection of personal data is a fundamental right.